Conversation
alxdavids
left a comment
alxdavids
left a comment
There was a problem hiding this comment.
Mostly looks good to me, most of my comments relate to style.
sign/ed448/ed448.go
Outdated
| _ = goldilocks.Curve{}.ScalarBaseMult(s).ToBytes(pair.public[:]) | ||
| P := &goldilocks.Point{} | ||
| goldilocks.Curve{}.ScalarBaseMult(P, s) | ||
| enc, _ := P.MarshalBinary() |
There was a problem hiding this comment.
Encoding always succeeds, but Go's standard MarshalBinary interface doesn't care. Maybe it's worthwhile having a separate PackInto function that writes into a buffer instead of returning it. Saves an allocation and then you don't have an error to confuse people about.
There was a problem hiding this comment.
Since this error will not occur, added a panic if it happens. Not the best way to handle this error.
I will consider adding PackInto.
ecc/goldilocks/point.go
Outdated
| fp.Sub(u, u, &one) // u = y^2-1 | ||
| fp.Sub(v, v, &one) // v = dy^2-1 | ||
| isQR := fp.InvSqrt(&P.x, u, v) // x = sqrt(u/v) | ||
| if !isQR { |
There was a problem hiding this comment.
updated take a look
There was a problem hiding this comment.
It might be hard though to write constant time algorithms using this function as it returns an error instead of an int. In go-ristretto I have two variants: Equals and EqualsI. The former returns the idiomatic bool and the latter an int, which allows one to write constant time code.
ecc/goldilocks/twist.go
Outdated
|
|
||
| var isZero int | ||
| if k.IsZero() { | ||
| if kk.IsZero() { |
|
I'll check this tomorrow @armfazh |
|
Nice! Have you run it against the vectors of: https://sourceforge.net/p/ed448goldilocks/code/ci/master/tree/test/ ? |
wbl
left a comment
wbl
left a comment
There was a problem hiding this comment.
We should talk more about where the formulas come from and how to make clear the code matches them.
ecc/goldilocks/curve.go
Outdated
| // Double returns 2P. | ||
| func (Curve) Double(P *Point) *Point { R := *P; R.Double(); return &R } | ||
| // Double calculates R = 2P. | ||
| func (Curve) Double(R, P *Point) { *R = *P; R.Double() } |
There was a problem hiding this comment.
This is a change to the external API of the package.
armfazh
force-pushed
the
addDecaf
branch
2 times, most recently
from
93a4a24 to
c97b01e
Compare
armfazh
force-pushed
the
addDecaf
branch
2 times, most recently
from
f120857 to
ec347f5
Compare
armfazh
added
changesAPI
ecc/decaf/decaf.go
Outdated
| func IsValid(a *Elt) bool { return ted448.IsOnCurve(&a.p) } | ||
|
|
||
| // Identity returns the identity element of the group. | ||
| func Identity() *Elt { return &Elt{ted448.Identity()} } |
There was a problem hiding this comment.
I don't think the Go compiler gets rid of the allocation here.
|
@bwesterb Addressed requested changes. |
|
We should add here the draft-ristretto-decaf test vectors, which is pretty easy as they are the multiplicatives of the generator. We can also add here the one-way-map of the draft. I also did a small implementation here of it: https://github.com/claucece/sage-ristretto255-decaf448 in sage. |
ecc/goldilocks/decaf.go
Outdated
| } | ||
|
|
||
| s := &fp.Elt{} | ||
| copy(s[:], b[:fp.Size]) |
There was a problem hiding this comment.
Mmm.. is there a reason why this constrain should be enforced b[:fp.Size]?
|
@armfazh what's the plan for this PR? |
Just pushed changes that update this PR. |
armfazh
requested review from
bwesterb and
claucece
and removed request for
wbl
It's been a while back, but I believe I haven't gone through all the maths in detail. If you want a detailed review, then I'll need to dedicate a day or two to it. Is there a deadline? |
Squashed commit of the following: commit ec347f5 Author: armfazh <armfazh@cloudflare.com> Date: Fri Jul 24 15:28:34 2020 -0700 Adding decaf group. commit 796b37e Author: armfazh <armfazh@cloudflare.com> Date: Wed Jul 22 19:44:07 2020 -0700 Updates internal packages of Ed448. commit f5957e7 Author: armfazh <armfazh@cloudflare.com> Date: Wed Jul 22 19:11:15 2020 -0700 Updating Decaf documentation. commit 6f573e6 Author: armfazh <armfazh@cloudflare.com> Date: Wed Jul 22 13:56:12 2020 -0700 Updating documentation of ted448 internal package. commit 7e80bfc Author: armfazh <armfazh@cloudflare.com> Date: Wed Jun 10 01:56:31 2020 -0700 Adapting ed448 for using the internal ted448 package. commit 44ce6c5 Author: armfazh <armfazh@cloudflare.com> Date: Tue Jun 9 23:36:17 2020 -0700 ted448 point public fields. commit 13dd30d Author: armfazh <armfazh@cloudflare.com> Date: Tue Jun 9 20:32:32 2020 -0700 Moving twist implementation to an internal package. commit 4cdcb71 Author: armfazh <armfazh@cloudflare.com> Date: Mon Jun 1 01:30:22 2020 -0700 Solving scalar constant-time operations. commit 26b9ea4 Author: armfazh <armfazh@cloudflare.com> Date: Thu May 21 09:21:36 2020 -0700 Review comments on formulas. commit ff821b5 Author: armfazh <armfazh@cloudflare.com> Date: Tue May 19 16:54:36 2020 -0700 Adding tests for detecting decaf/point invalid encodings. commit 3881ea8 Author: armfazh <armfazh@cloudflare.com> Date: Fri May 15 15:13:53 2020 -0700 One test for decaf, unmarshaling straight-line code, and check for errors. commit 9b048c0 Author: armfazh <armfazh@cloudflare.com> Date: Thu May 14 18:12:57 2020 -0700 Updating interface for decaf and curve. commit a99153c Author: armfazh <armfazh@cloudflare.com> Date: Thu May 14 16:10:04 2020 -0700 Adding goldilocks documentation. commit a62d6bd Author: armfazh <armfazh@cloudflare.com> Date: Thu May 14 14:15:02 2020 -0700 Adding decaf v1.1 and kat tests. commit c72bdfa Author: armfazh <armfazh@cloudflare.com> Date: Wed May 13 13:30:11 2020 -0700 Removing non-used fp functions. commit d4fc865 Author: armfazh <armfazh@cloudflare.com> Date: Tue May 12 11:47:57 2020 -0700 Adding some helper functions. commit 6173c83 Author: armfazh <armfazh@cloudflare.com> Date: Tue May 12 05:15:55 2020 -0700 Decaf decoding working. More tests needed. commit daa36c1 Author: armfazh <armfazh@cloudflare.com> Date: Mon May 11 16:16:16 2020 -0700 Decaf encoding is working, except by the choice of generator. commit 8933f6c Author: armfazh <armfazh@cloudflare.com> Date: Thu May 7 01:19:47 2020 -0700 Decaf encoding requires cannon sqrt. commit 9479b45 Author: armfazh <armfazh@cloudflare.com> Date: Wed Apr 29 14:51:21 2020 -0700 Adding support for decaf quotient group.
armfazh
requested review from
cjpatton
and removed request for
chris-wood,
claucece and
tanyav2
6 participants
Includes a package for the decaf group.
Decaf is specified https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-03, this implementation is fully compatible with draft. Test vectors for group operations and hashing to group are passing.
Decaf (circl/group) is a safe group abstraction on top of the Goldilocks (edwards448) curve (circl/ecc/goldilocks).
Ed448 also uses Goldilocks curve but only requires specific operations.
Internally, Goldilocks curve is implemented with ted448, a twist of the curve, since it provides faster point arithmetic.